New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
change hooked_syscalls event so users can specify syscalls to check. #3136
Merged
yanivagman
merged 3 commits into
aquasecurity:main
from
AsafEitani:syscall_hooking_change
Jun 26, 2023
Merged
change hooked_syscalls event so users can specify syscalls to check. #3136
yanivagman
merged 3 commits into
aquasecurity:main
from
AsafEitani:syscall_hooking_change
Jun 26, 2023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AsafEitani
force-pushed
the
syscall_hooking_change
branch
from
May 23, 2023 16:20
542fb53
to
41e4064
Compare
AsafEitani
force-pushed
the
syscall_hooking_change
branch
2 times, most recently
from
May 24, 2023 11:41
8ecf5af
to
ff3ec72
Compare
AsafEitani
force-pushed
the
syscall_hooking_change
branch
2 times, most recently
from
May 28, 2023 12:53
eb1cb1f
to
4cbbc4f
Compare
AsafEitani
force-pushed
the
syscall_hooking_change
branch
2 times, most recently
from
May 29, 2023 10:29
985d973
to
0f61ccb
Compare
AsafEitani
force-pushed
the
syscall_hooking_change
branch
from
May 29, 2023 13:39
0f61ccb
to
611244a
Compare
yanivagman
requested changes
Jun 21, 2023
related to aquasecurity#2055 and fix some bugs the triggered events.
AsafEitani
force-pushed
the
syscall_hooking_change
branch
from
June 22, 2023 09:01
21f288d
to
0480c44
Compare
AsafEitani
force-pushed
the
syscall_hooking_change
branch
from
June 22, 2023 13:04
0480c44
to
5ffce7d
Compare
yanivagman
requested changes
Jun 22, 2023
AsafEitani
force-pushed
the
syscall_hooking_change
branch
3 times, most recently
from
June 25, 2023 10:00
57985c2
to
68276d4
Compare
AsafEitani
force-pushed
the
syscall_hooking_change
branch
from
June 25, 2023 10:06
68276d4
to
b461520
Compare
yanivagman
approved these changes
Jun 25, 2023
AsafEitani
force-pushed
the
syscall_hooking_change
branch
from
June 25, 2023 10:09
b461520
to
673373b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
related to #2055 and fix some bugs the triggered events.
1. Explain what the PR does
commit 542fb53 (HEAD -> syscall_hooking_change, origin/syscall_hooking_change)
Author: AsafEitani eitaniasaf@gmail.com
Date: Thu May 18 15:12:34 2023 +0300
2. Explain how to test it
specify syscalls to check by adding
-f hooked_syscalls.args.check_syscalls=<syscall>,<syscall> for example:
dist/tracee-ebpf -f e=hooked_syscalls -f hooked_syscalls.args.check_syscalls=execve,kill,getdents,getdents64`see the list of checked syscalls and the list of hooked syscalls.
load a
diamorphine
kernel module rootkit and see the new event popping up with 3 hooked syscalls.3. Other comments
Some of the changes were made to other events to fix bugs.